Every day I experience life in the world of healthcare IT, supporting 3000 doctors, 18000 faculty, and 3 million patients. In this blog I record my experiences with infrastructure, applications, policies, management, and governance as well as muse on such topics such as reducing our carbon footprint, standardizing data in healthcare, and living life to its fullest.

Tuesday, May 6, 2008

Role-based Access Control

Protecting privacy is foundational to electronic health records and healthcare information exchange. In 2007, the Healthcare Information Technology Standards Panel specified the technical standards needed to ensure the security of patient records and these will be incorporated into vendor products over the next 2-3 years.

At BIDMC, our privacy controls are based on the concept of "minimum need to know" and are implemented via single sign-on authentication, auditing, role-based access control and a "lock box" for mental health notes.

AuthenticationEach person working at or affiliated with BIDMC has a unique username and password which they use to access applications, sign notes, and write orders. In the 1990's each person had numerous usernames and passwords of differing complexity and password expiration timeframes. In 2000, we built an enterprise wide LDAP directory to manage all our user accounts. In 2003, we interfaced it to Micrsoft's Active Directory and we created processes to tightly manage these accounts including standardizing our policies for password complexity and expiration. In 2005, we built a portal and web-services to enable single sign-on authentication to virtually all our applications. This means that our users only have to remember one password, albeit a very complex password (non-english word, mixed case, alphanumeric) that expires every 200 days. Passwords are activated centrally to ensure we have appropriate approvals and management oversight of each user. Whenever a clinician or staff member leaves the organization, their password is immediately deactivated for all applications.

AuditingWe store an audit of every patient lookup made by a clinician or staff member. All stakeholders at BIDMC know that violating confidentiality results in termination. We run automated tools to examine the audit trails and highlight suspicious behavior.

AuthorizationThe centerpiece of our privacy controls are over 500 access control rules which limit access to information based on job role and application function. For each application, we work with our stakeholders and Governance Committees to define the required levels of access based on the functions within the application. End users are then assigned an “authorization string” that offers access to the minimum information relevant to their role for each application.

For example, in an Appointment Scheduling application, front desk staff can make appointments, update registrations and perform charge entry. A practice manager can do all of that plus maintain schedules and run management reports. As we add functions to our applications, we determine which authorization is required to access each function.

Role-based access also has workflow implications. In our Provider Order Entry application, a staff doctor or resident can write an order but if a medical student writes an order, it is not visible to the nurse until it has been co-signed. A nurse can write only verbal orders, and a unit coordinator cannot write orders but can discharge patients. In our electronic health record, a resident can write a progress note but only a staff doctor can co-sign that note.

Monitored notesWe recognize that some portions of the medical record such as mental health notes are more sensitive than others. In the early 1990's we created a lock box for such information called "monitored notes". The author of protected informations places the data in the electronic lock box. Other clinicians can only access this data by providing written justification of the need to open the lock box. Each lock box access is emailed to the author of the content and is reviewed by our security team.

Health Information Exchange between organizations relies on all these protections plus opt-in patient consent for sharing data with external providers. HITSP standards include the use of the OASIS standard called XACML for role-based access control and HL7 Consent standards to document patient data exchange preferences. The current Nationwide Health Information Network pilots and our project to exchange disability application data with the Social Security Administration includes these protections.

Our over 500 rules controlling every data element in every application have been an effective means to protect confidentiality. With constant vigilance, a team of 4 full time security professionals monitoring our systems, and yearly third party audits, we're doing our best to maintain the trust of our patients.

12 comments:

I like it! Just as important as RBAC is the use of federated, claims-based security (SAML, WS-Trust) to ensure that the "minimum need to know" philosophy is also applied to user credentials and claims. This way we can get rid of passwords where possible and don't need "one Active Directory to rule them all" especially since this doesn't scale to a national or global level.

The purpose of RBAC is to preserve the patient's trust in an institution and BI is to be commended for promoting their respect for patient privacy by implementing the systems you describe.

However, when it comes to "Health Information Exchange between organizations", the issue may not be standards such as XACML but the social engineering problem of describing a policy to a patient in a useful way.

Here are two possibilities:

1 - BI publishes a version of the roles.doc list in the form of a Directory and allows a patient that wants to send medical info TO you to pick a line, or

2 - BI publishes the Directory listing jhalamka.openid.bidmc.org and allows the patient to indicate that they trust bidmc.org or jhalamka at bidmc.org to treat their information according to whatever internal access control policies and rules they implement.

Obviously, 1 and 2 are not mutually exclusive and I'm sure there are dozens of dimensions to the privacy and informed consent universe across institutions.

My point is that from the consumer's perspective, you might enhance BI's brand more by leaning toward Option 2 and making it easier and more transparent for patients to connect with your services rather than trying to explain the meaning and value of micro-managing opt-in.

Thanks John for providing this detailed account of how consumer privacy is addressed within BIDMC over the last several years. In your previous post about the BIDMC EMR system, did have some concerns regarding distributed access in the IDN, which for the most part have been resolved. Now on to the next question...

How will this work in the broader context of consumer-controlled records, ala Google Health, the opt-in and sharing features that a consumer may define within Google Health (or even HealthVault or Dossia) and reconciliation between BIDMC's system/rules and those outside which are consumer-driven?

Role-based access controls do not protect privacy. The longstanding definition of privacy in American and international law is that 'privacy' means the individual's right to control the acquisition, use, and disclosure of personal information.

The BIDMC role-based access controls are determined by the staff and help to improve the security and confidentiality of patient data, but do not ensure privacy or consumer control over who can see and use personal data. Consumers don't have a say in setting role-based access to PHI at this institution.

It is distressing that John does not understand the difference between privacy, security, and confidentiality. Blurring the meanings of these words is confusing and misleading.

IT experts should use standard definitions of these key terms. The NCVHS 2006 definition of privacy is a good one to use in healthcare. It mirrors the traditional legal definition above.

As John described how the BIDMC system works, clinicians can access "monitored notes" without specific consumer consent.

The BIDMC system does not allow consumers to decide which clinicians can access their sensitive records, eliminating consumers' rights to privacy and control over PHI.

The author of a "monitored note" gets an audit trail of who has seen the note after the fact, but the patient has no say in advance of who can see their sensitive notes.

It appears from John's description of the BIDMC system that patients are required to give compelled blanket consents for broad access to their PHI to thousands of members of the staff when they enter the hospital, rather than obtaining contemporaneous consent for a new clinician or consultant to access PHI.

The BIDMC has a long way to go to ensure patients' privacy rights are built into electronic records.

Exquisite electronic consent management tools exist today that would allow patients at BIDMC to set their consents electronically, change them instantly, and allow immediate access to new clinicians and staff at the time of treatment. Broad directives could also be set to allow access to key data needed in emergencies or to ensure that a family physician or internist gets copies of all new health information, but an allergist or podiatrist just gets medication updates.

Without robust 'smart' consent management systems, hospitals are forced to try and figure out who got access to your PHI that should not have seen it, after the fact. If consent managment tools are used, inappropriate access cannot occur in the first place.

With robust consent management tools in place, BIDMC would not need to have 4 fulltime security professionals to monitor the system. There would be nothing to monitor if all access is contemporaneously controlled via robust independent consent managment tools, which simultaneously create audit trails for every access to PHI.

John, as the CIO for Caregroup, it's long past time for you to focus on restoring the strong legal and ethical privacy rights of the people of MA and ensure that BIDMC uses new privacy-innovative technologies.

Electronic Medical Records system provides benefits such as storing and sharing of patients’ health records ensuring the privacy and confidentiality of patients’ information. This wipes out all the errors, associated with the conventional paper based system. The EMR collects and stores the patients’ health information data from all the sources like hospitals, laboratories, healthcare professionals, pharmacies and insurance companies etc.

eMedReport provides online doctor consultation so that patients can receive quality medical care from experienced, sympathetic physicians. Through it, users can have access to a variety of health topics and patient education tools on various public health topics such as HIV/AIDS, Cancer, Diabetes, Asthma etc.